Git with a cup of tea! Painless self-hosted all-in-one software development service, includes Git hosting, code review, team collaboration, package registry and CI/CD
Go to file
Jack Hay 18de83b2a3
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
    - `activitypub`
    - `admin` (hidden if user is not a site admin)
    - `misc`
    - `notification`
    - `organization`
    - `package`
    - `issue`
    - `repository`
    - `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
  -  `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
  - `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection

### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">

## tokenRequiresScopes  Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error

## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
   -  _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
   - _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
   - _This should be addressed in this PR_
   - For example: 
   ```go
	m.Group("/users/{username}/orgs", func() {
		m.Get("", reqToken(), org.ListUserOrgs)
		m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
   ```

## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default

Closes #24501
Closes #24799

Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
.gitea Issue template form (#16349) 2021-09-15 20:33:13 +03:00
.github Clean up github actions (#24984) 2023-05-30 13:31:00 +08:00
assets Update github.com/google/go-github to v52 (#24004) 2023-05-31 00:31:51 +00:00
build Refactor INI package (first step) (#25024) 2023-06-02 17:27:30 +08:00
cmd Use the type RefName for all the needed places and fix pull mirror sync bugs (#24634) 2023-05-26 01:04:48 +00:00
contrib Refactor INI package (first step) (#25024) 2023-06-02 17:27:30 +08:00
custom/conf Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
docker Unify nightly naming across binaries and docker images (#24116) 2023-04-24 23:43:19 +08:00
docs Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
models Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
modules Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
options Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
public/img Add PDF rendering via PDFObject (#24086) 2023-05-29 12:10:00 +00:00
routers Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
services Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
snap Upgrade snap to node 20 (#24990) 2023-05-29 22:41:56 +02:00
templates Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
tests Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
web_src Redesign Scoped Access Tokens (#24767) 2023-06-04 20:57:16 +02:00
.air.toml Reduce verbosity of dev commands (#24917) 2023-05-24 20:11:04 +00:00
.changelog.yml Changelog for v1.15.0-rc1 (#16422) 2021-07-15 11:47:57 -04:00
.dockerignore Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
.drone.yml Upgrade to Node 20 on CI, enable actions cancellation (#24524) 2023-05-04 22:21:48 +00:00
.editorconfig Add markdownlint (#20512) 2022-07-28 09:22:47 +08:00
.eslintrc.yaml Add two eslint plugins (#24776) 2023-05-18 09:14:31 +08:00
.gitattributes Add PDF rendering via PDFObject (#24086) 2023-05-29 12:10:00 +00:00
.gitignore Update repo's default branch when adding new files in an empty one (#25017) 2023-05-31 17:07:51 +08:00
.gitpod.yml Use official Vue extension in Gitpod (#24609) 2023-05-09 18:03:50 +00:00
.golangci.yml Refactor INI package (first step) (#25024) 2023-06-02 17:27:30 +08:00
.ignore Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
.markdownlint.yaml Add markdownlint (#20512) 2022-07-28 09:22:47 +08:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.stylelintrc.yaml Fix `@font-face` overrides (#24855) 2023-05-24 01:48:51 +00:00
BSDmakefile update BSDmakefile to latest version from upstream (#24063) 2023-04-11 23:42:22 -04:00
CHANGELOG.md Changelog for 1.19.3 (#24495) (#24506) 2023-05-03 22:05:47 -04:00
CODE_OF_CONDUCT.md Add Gitea Community Code of Conduct (#23188) 2023-03-09 10:49:34 +08:00
CONTRIBUTING.md Update `CONTRIBUTING.md` (#24492) 2023-05-23 14:22:40 +02:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Update to Alpine 3.18 (#24700) 2023-05-14 01:49:00 +00:00
Dockerfile.rootless Update to Alpine 3.18 (#24700) 2023-05-14 01:49:00 +00:00
LICENSE Fix typo 2016-11-08 08:42:05 +01:00
MAINTAINERS Add self to maintainers (#23644) 2023-05-25 07:58:38 +08:00
Makefile Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
README.md Fix broken `README` link (#24546) 2023-05-06 16:16:06 +08:00
README_ZH.md link update in README files (#22582) 2023-01-23 15:57:57 -05:00
SECURITY.md Add markdownlint (#20512) 2022-07-28 09:22:47 +08:00
build.go User/Org Feed render description as per web (#23887) 2023-04-04 04:39:47 +01:00
go.mod Update github.com/google/go-github to v52 (#24004) 2023-05-31 00:31:51 +00:00
go.sum Update github.com/google/go-github to v52 (#24004) 2023-05-31 00:31:51 +00:00
main.go Rewrite logger system (#24726) 2023-05-21 22:35:11 +00:00
package-lock.json Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
package.json Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
playwright.config.js Update JS dependencies and eslint config (#21388) 2022-10-10 20:02:20 +08:00
vitest.config.js Update JS dependencies (#24218) 2023-04-19 22:36:41 -04:00
webpack.config.js Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00

README.md

Gitea

Gitea - Git with a cup of tea

Contribute with Gitpod

View this document in Chinese

Purpose

The goal of this project is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service.

As Gitea is written in Go, it works across all the platforms and architectures that are supported by Go, including Linux, macOS, and Windows on x86, amd64, ARM and PowerPC architectures. You can try it out using the online demo. This project has been forked from Gogs since November of 2016, but a lot has changed.

Building

From the root of the source tree, run:

TAGS="bindata" make build

or if SQLite support is required:

TAGS="bindata sqlite sqlite_unlock_notify" make build

The build target is split into two sub-targets:

  • make backend which requires Go Stable, required version is defined in go.mod.
  • make frontend which requires Node.js LTS or greater and Internet connectivity to download npm dependencies.

When building from the official source tarballs which include pre-built frontend files, the frontend target will not be triggered, making it possible to build without Node.js and Internet connectivity.

Parallelism (make -j <num>) is not supported.

More info: https://docs.gitea.io/en-us/install-from-source/

Using

./gitea web

NOTE: If you're interested in using our APIs, we have experimental support with documentation.

Contributing

Expected workflow is: Fork -> Patch -> Push -> Pull Request

NOTES:

  1. YOU MUST READ THE CONTRIBUTORS GUIDE BEFORE STARTING TO WORK ON A PULL REQUEST.
  2. If you have found a vulnerability in the project, please write privately to security@gitea.io. Thanks!

Translating

Translations are done through Crowdin. If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there.

You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope to fill it as questions pop up.

https://docs.gitea.io/en-us/contributing/translation-guidelines/

Crowdin

Further information

For more information and instructions about how to install Gitea, please look at our documentation. If you have questions that are not covered by the documentation, you can get in contact with us on our Discord server or create a post in the discourse forum.

We maintain a list of Gitea-related projects at gitea/awesome-gitea.

The Hugo-based documentation theme is hosted at gitea/theme.

The official Gitea CLI is developed at gitea/tea.

Authors

Backers

Thank you to all our backers! 🙏 [Become a backer]

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

FAQ

How do you pronounce Gitea?

Gitea is pronounced /ɡɪti:/ as in "gi-tea" with a hard g.

Why is this not hosted on a Gitea instance?

We're working on it.

License

This project is licensed under the MIT License. See the LICENSE file for the full license text.

Screenshots

Looking for an overview of the interface? Check it out!

Dashboard User Profile Global Issues
Branches Web Editor Activity
New Migration Migrating Pull Request View
Pull Request Dark Diff Review Dark Diff Dark